Privacy Policy

Living Story (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Living Story platform at livingstory.app (the “Service”).

We believe your stories are deeply personal. Our approach to privacy is simple: your data belongs to you. We collect only what we need to provide the Service, we never sell your data, and we give you full control over your content.

1. Information We Collect

1.1 Information You Provide

• Account information: Name, email address, and password when you create an account.
• Profile information: Display name, date of birth (optional), and timezone preferences.
• Content: Stories, voice recordings, photos, videos, and other media you upload or create using the Service.
• Communications: Messages you send to us, feedback, and support requests.
• Payment information: Billing details processed securely by our payment provider, Stripe. We do not store your full credit card number.

1.2 Information Collected Automatically

• Usage data: Pages visited, features used, and interactions with the Service.
• Device information: Browser type, operating system, and device identifiers.
• Log data: IP address, access times, and referring URLs.

1.3 Third-Party Services

If you connect third-party services (such as Google Photos), we access only the specific data you authorize and only for the purpose of importing content into your Living Story.

1.4 Google Photos Data

When you use our Google Photos import feature, the following applies:

• What we access: We use the Google Photos Picker API with the photospicker.mediaitems.readonlyscope. This means we can only view photos you explicitly select through Google's Picker interface. We never access your full Google Photos library.
• How we use it: Selected photos are imported into your Living Story family repository to be included alongside your stories, voice recordings, and other content. Photos may be analyzed by AI for automatic tagging and organization (e.g., face detection for grouping by person, label detection for categorization).
• How it is stored: Imported photos are stored securely on Cloudflare R2 storage, encrypted at rest. Each photo is associated with your private repository and is not accessible to anyone outside your authorized family members.
• Who can see it: Imported photos are only visible to family members you have explicitly invited to your repository. Photos are not shared publicly unless you choose to include them in a published Living Story.
• Data retention: Imported photos remain in your repository until you delete them or close your account. You can delete individual imported photos at any time from your repository.
• No AI training: We do not use your Google Photos data to train any AI or machine learning models. Our AI providers (Anthropic, Google Gemini, and OpenAI) process photos only to generate tags and descriptions for your use within the Service, under data processing agreements that prohibit training on customer data.
• No advertising: We do not use your Google Photos data for advertising, profiling, or any purpose beyond providing the Service to you.
• Revoking access: You can disconnect Google Photos from your Living Story account at any time through your account settings. Revoking access prevents future imports but does not automatically delete previously imported photos (you can delete those separately).

For questions about how we handle your Google Photos data, contact us at privacy@livingstory.app.

2. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service
• Process your content (e.g., transcribing voice recordings, generating AI summaries)
• Send you service-related communications (e.g., daily prompts, notifications)
• Process payments and manage your subscription
• Respond to your support requests
• Protect against fraud, abuse, and security threats
• Comply with legal obligations

We do not:

• Sell, rent, or trade your personal information to third parties
• Use your content to train AI models
• Display advertising or share data with advertisers
• Access your content for any purpose other than providing the Service

3. AI Processing

Living Story uses artificial intelligence to enhance your experience, including:

• Transcribing voice recordings to text
• Generating story titles, tags, and follow-up prompts
• Powering AI conversations about your family stories
• Creating monthly recaps and organizing content
• Generating book layouts and chapter structures

Your content is processed by our AI providers (Anthropic, Google Gemini, and OpenAI) solely to provide these features. Your content is not used to train their AI models. We use API services with data processing agreements that prohibit training on customer data.

4. How We Share Your Information

We share your information only in the following circumstances:

• With family members you invite: When you share stories with family members, they can view the content you make visible to them based on your privacy settings.
• Service providers: We use trusted third-party services to operate the platform, including Supabase (database and authentication), Stripe (payments), Mailgun (email delivery), Cloudflare (media storage), Anthropic, Google, and OpenAI (AI processing), and Vercel (hosting). These providers are bound by data processing agreements.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Safety: We may disclose information to protect the rights, safety, or property of Living Story, our users, or the public.

Data Processing Agreements (DPAs) are in place with each of our service providers listed above. Copies are available upon request by contacting privacy@livingstory.app.

5. Data Storage and Security

• Your data is stored on secure servers provided by Supabase (database) and Cloudflare R2 (media files), both of which use encryption at rest and in transit.
• All connections to the Service use HTTPS/TLS encryption.
• Passwords are hashed using industry-standard algorithms and are never stored in plain text.
• We implement row-level security policies to ensure users can only access their own data and content shared with them.
• We regularly review and update our security practices.

6. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal information and content within 30 days, except where retention is required by law or necessary to resolve disputes.

Backup copies may persist in our systems for up to 90 days after deletion.

7. Your Rights and Choices

You have the right to:

• Access: Request a copy of the personal information we hold about you.
• Correction: Update or correct inaccurate personal information.
• Deletion: Request deletion of your account and associated data.
• Export: Download your stories, recordings, and media at any time.
• Opt-out: Unsubscribe from non-essential emails at any time.
• Restrict processing: Request that we limit how we use your data.

To exercise any of these rights, contact us at support@livingstory.app.

8. Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: What personal information we collect and how we use it.
• Right to Delete: Request deletion of your personal information.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out: We do not sell or share your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at privacy@livingstory.app or use the account settings in your dashboard.

We do not sell personal information as defined by the CCPA. We do not share personal information for cross-context behavioral advertising.

9. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13, we will promptly delete it. If you believe a child has provided us with personal information, please contact us.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, as implemented by our service providers including Supabase, Anthropic, Google, OpenAI, Cloudflare, and Vercel.

11. Cookies and Tracking

We use essential cookies to maintain your session and authentication state. We do not use third-party tracking cookies or advertising trackers. We may use minimal analytics to understand how the Service is used and to improve it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

• Email: support@livingstory.app
• Website: livingstory.app